3eff31a9084b4a8a1587ba2fc43ab4e055e70979 hiram Tue Apr 28 14:53:55 2026 -0700 eliminate the HTTP_REFERER check and depend just on the userId cookie for security refs #31811 diff --git src/hg/hubApi/findGenome.c src/hg/hubApi/findGenome.c index 63c63ba8ee8..cd75f1c59e4 100644 --- src/hg/hubApi/findGenome.c +++ src/hg/hubApi/findGenome.c @@ -554,57 +554,36 @@ */ { char *extraArgs = verifyLegalArgs(argAssemblyRequest); if (extraArgs) apiErrAbort(err400, err400Msg, "extraneous arguments found for function /assemblyRequest '%s'", extraArgs); char *asmId = cgiOptionalString(argAsmId); char *name = cgiOptionalString(argName); char *email = cgiOptionalString(argEmail); char *betterName = cgiOptionalString(argBetterName); char *comment = cgiOptionalString(argComment); if (isEmpty(asmId) || isEmpty(name) || isEmpty(email)) apiErrAbort(err400, err400Msg, "must have arguments: %s, %s, %s for endpoint '/assemblyRequest'", argAsmId, argName, argEmail); -/* require referer to be our own assemblySearch.html, mirroring apiLiftRequest */ +/* Require a session cookie. Robots that have not + * passed the challenge will not have one. */ char *cookieName = hUserCookie(); char *userId = findCookieData(cookieName); -char *referer = getenv("HTTP_REFERER"); -char dir[PATH_LEN]; -char fname[FILENAME_LEN]; -char ext[FILEEXT_LEN]; -if (isNotEmpty(referer) && isNotEmpty(userId)) - { - /* assemblySearch.html uses history.pushState to add query strings to its - * URL, so the referer arrives as e.g. ".../assemblySearch.html?searchBox=foo". - * Strip query/fragment before splitPath so the .html extension matches. */ - char *cleanRef = cloneString(referer); - char *q = strchr(cleanRef, '?'); - if (q) *q = '\0'; - q = strchr(cleanRef, '#'); - if (q) *q = '\0'; - splitPath(cleanRef, dir, fname, ext); - if (! (endsWith(dir, ".ucsc.edu/") && sameWord(fname, "assemblySearch") && sameWord(ext, ".html"))) +if (isEmpty(userId)) apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/assemblyRequest'"); - freeMem(cleanRef); - } -else - { - if (! debug) - apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/assemblyRequest'"); - } /* the ottoRequest table has no name/betterName columns, fold them into comment */ struct dyString *fullComment = dyStringNew(0); dyStringPrintf(fullComment, "name: '%s'", name); if (isNotEmpty(betterName)) dyStringPrintf(fullComment, "; betterName: '%s'", betterName); if (isNotEmpty(comment)) dyStringPrintf(fullComment, "; comment: '%s'", comment); char nowTime[256]; time_t seconds = clock1(); struct tm *timeNow = localtime(&seconds); strftime(nowTime, sizeof nowTime, "%Y-%m-%d %H:%M:%S", timeNow); struct dyString *msg = dyStringNew(0);